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As trusted leaders in the global software industry, BSA members are at the forefront of Internet 
of Things (loT) innovation, including advancements in loT security. BSA endorses the following 
principles for building trust in the loT that embody a responsible, risk-based approach to government 


loT security policy. 


D Account for the loT ecosystem’s diversity and 
complexity. Holistically consider the complexity and 
diversity of the loT ecosystem, recognizing the unique 
role each part of the system plays and how those parts 
interact, and design policies that are technology- 
neutral and flexible to accommodate such complexity. 


@ Define key concepts and requirements clearly. 
Clearly define key concepts and requirements related 
to loT security, such as “loT” and “loT device.” 


3] Secure the whole loT ecosystem, not just devices. 
Drive a risk-based approach to trust and safety 
by considering software, firmware, and hardware 
deployed throughout loT technologies, and avoiding 
device-centric policies that disrupt sophisticated 
network-based security measures. 


0 Distinguish between consumer loT and industrial 
loT (IloT). Address the different risks posed by 
consumer loT and IloT technologies, rather than 
pursuing one-size-fits-all approaches. Policies for 
consumer devices may need to prioritize building 
security into devices, while industrial users may need 
more flexibility to tailor security measures to their 
unique, complex operating environments. 


6 Build on industry best practices. Be informed by 
the expertise of industry leaders and incorporate 
widely accepted, risk-based loT security best practices 
developed by industry to elevate the security of the 
entire loT market. 


O Incentivize security throughout the loT life cycle. 
Incentivize businesses to voluntarily establish 
coordinated vulnerability disclosure processes and 


end-of-life policies to promote security throughout 
the loT life cycle. 


@ Embrace multi-stakeholder processes. Leverage 
multistakeholder processes to collaborate with 
industry and develop best practices for loT security 
based on existing, consensus-based guidelines. 


© Seek national and international policy 
harmonization. Align loT security policies, to the 
greatest extent possible, with other similar efforts 
underway around the world. 


(9) Support the development and use of 
internationally recognized loT standards. Link loT 
security policies to global, voluntary, and consensus- 
based standards wherever they exist, and support 
the development of new international recognized loT 
security standards. 


D Establish baseline security requirements as 
necessary and appropriate. Align core security 
capabilities, where necessary, with widely accepted 
international standards, which are regularly updated 
to keep pace with the latest technology and security 
practices. 


(11) Integrate security into loT acquisition. Incentivize 
departments and agencies in the procurement 
process to prioritize secure, interoperable, and 
scalable loT solutions for assets based on voluntary, 
industry-led, consensus-based, global guidelines. 


(12) Include loT in incident response. Integrate loT 
considerations into incident response planning, 
including policies for loT incidents and emergency 
responses. 
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